Wiring your application to the security module provided by the container (the application server ) like JBoss (jboss-web.xml).

As noticed from the above configurations, the security constraints are applied over the whole resource; a page for example. In practical applications, the page may be a mix of controls that have a different role based functionality. For example, a page my have controls that is visible to normal user. Other controls will be only visible to a moderators, while the rest are only visible to super/admin users.

This mix of different controls make it impossible to choose which role to be applied on the whole page. The solution for such case will be either splitting the controls over different resources and using the appropriate Role with it. The Second solution is to make a very low level access role on the resource (Normal Users) and then using java coding you can show and hide controls based on the principal user.

jspx provides a very easy solution for such problem. Every control in jspx is exposing a non-Standard HTML attribute named AllowedRoles . The value of this attribute is a String. This attribute is listing the allowed roles which is cabaple of viewing the control and firing events.

jspx security features are first introduced in build 1.0.4 along with many other security features that listed here.

Assume that there is a button on page that is resetting the password of the user. This button should be allowed only to users of type admin and super. While the whole page is viewable to normal users, they can not view nor invoke such control.
Using standard JAAS will not solve this issue. But using jspx the solution is simply as following: